Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Spanning-tree portfast help.

I have spanning-tree porfast enabled across all (non-trunk ports) in our enterprise. In fact, using the auxiliar vlan on ports ( switchport voice vlan X) enables spanning-tree on the port.  I have also enabled globally spaning-tree portfast bpdu guard default to mitigate the posibility of anyone plugging a smart switch in these port and create a loop.

Last friday, someone in the conference rooms looped 2 ports by plugging a dumb-switch (non managable) to 2 ports on the wall configured as edge port (spanning-tree portfast) and created a loop and the network almost dropped. Eventually one of the ports got disabled due to spaning treee portfast bpdu guard, but during 2 to 3 minutes the network was in disarray.

How can I mitigate this from ever happening again? I thought portfast bpdu guard default would do the trick but it did not, or at least not rapidly enough to avoid network problems and user complaints. Do I have to disable spanning tree portfast on all edge ports?  I have Voip phones on many of these ports. I've opened a case with cisco and basically that what they told me is to disable spaning tree porfast if I can  or advised me to enable port-security but that another topic I dont want to pursue just yet.

Any help, solutions would be welcomed and very well appreaciatted.

5 REPLIES
Hall of Fame Super Bronze

Re: Spanning-tree portfast help.

Dumb switches do not send BPDUs so BPDUGuard won't be useful. What we usually recommend is implementing port-security in addition to BPDUGuard. If you know the port limit is 2 MAC-Address, implement port-security with such limit. As soon as a 3rd device is known via that switchport, it will go into err-disabled.

Regards,

Edison

New Member

Re: Spanning-tree portfast help.

Thanks for replying Edison,

Yes, dumb switches don't send BPDU's but since  the port its connected back to a second port on the managable switch wouldn't that send BPDUs'?

port1:switcha<-----(dumb-switch)------>port2:switcha  where switch a is a 3750 with bpdu guard-default and portfast on both ports.

Imagine a situacion where someone with a bit of knowledge maliciously take a patch cord and plug-it from porta to portb (patch cord might need to be X-over). If there is no other solution, but port-security I will or ultimately disable spanning-tree portfast across the enterprise.

Hall of Fame Super Bronze

Re: Spanning-tree portfast help.

I understand your concern but there isn't any other solution to this dilemma.

Another common practice is to disable unused ports.

Regards,

Edison

New Member

Re: Spanning-tree portfast help.

For the record:

I intentionally created a loop using a dumb switch and also a direct connection from fast 0/z to fast 0/x and bpduguard seem to have mitigated the issue right away. One of the ports gets err-disabled right away. I tried several times, all all with the same results. 

Now I wonder why on our other building it took at least 5 minutes before detecting the anomally. ???

   Anyone has further ideas?

New Member

Re: Spanning-tree portfast help.

Hi,

      Did you try bpdu filter?

Regards,

V Dinesh Kumar

900
Views
0
Helpful
5
Replies